This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Query on getting the total attack count from the RSA Netwitness Server

AbdullahNaina
Beginner
Beginner

‎2017-10-31 10:56 PM

Hi all,

I have a task which my boss asked me to do. He wanted me to make the php script to send to the RSA Netwitness to get the total attack count and show on the website, digital attack map. 

So i created a php script and perform the query of getting the total attack count in the RSA Netwitness and get the data.

 

Here is my code below.

 

<?php

include 'config.php';
$filename = 'http://'.$SAUser.':'.$SAPass.'@'.$DevIP.':'.$DevPort.'/sdk?msg=query&force-content-type=application/json&expiry=600&query=select%20count%28*%29%20where%20device.type%3D%27snort%27%26%26%20alert%20exists%20%26%26%20alert%3D%27tag_cesium%27%2C%27tag_ce...



$json = file_get_contents($filename);
echo $json;

?>

In the script, the filename represent the IP Address, Port Number, Username and password of the RSA Netwitness and perform the query (counting all the rows of attack at the particular time).

When I run the script,

the output is shown below

 

[
{
"flags" : 1074200578,
"results" : {
"id1" : 0,
"id2" : 0,
"fields" : [
{
"id1" : 0,
"id2" : 0,
"count" : 0,
"format" : 8,
"type" : "",
"flags" : 2,
"group" : 0,
"value" : "0"
}
]
}
},
{
"flags" : 1074200577,
"results" : {
"id1" : 32155288570,
"id2" : 32155288569,
"fields" : [
]
}
}
]

 

I am not able to grasp the total attack count values.. Any guidance or link that can help me in this.

Please help me. Thank you.

0 Likes
1 REPLY 1

Anonymous
Not applicable

‎2017-11-01 07:01 AM

The output is telling there are no hits. It could be due to the time window or an error in the query.

 

I would also recommend that you use a "Values" call instead of a "Query" one, just pick an indexed key and get the values for that key, make sure it is something like "medium" which differentiate between hits on packets and logs but since your query is for log data only that would work, alternatively use something like device.type as again it's something that you are forcing to be unique in your result set.

 

"Values" calls are normally more efficient than "Query" calls due to their nature of running only against a key index vs the entire meta  DB.

 

Hope it helps!

 

Regards,

 

Rui 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.